Twitter Settles FTC Charges that it Failed to Protect User Data

The FTC in its administrative complaint said these security lapses allowed hackers to obtain administrative control of Twitter and send out phony tweets from users including then-President elect Barack Obama and Fox News. The hackers were also able to gain access to nonpublic user information.

The first security breach occurred in January 2009, when a hacker gained administrative control of Twitter after submitting thousands of guesses into Twitter’s login webpage via an automatic password-guessing tool. The hacker eventually hit on the correct password (a “weak, lower case, common dictionary word,” according to the FTC) and sent fraudulent tweets from user accounts.

Among them: Barack Obama, who offered his more than 150,000 Twitter followers $500 in free gasoline.

In April 2009, a second breach occurred after a hacker accessed a Twitter employee’s personal e-mail account and used information there to guess the employee’s Twitter administrative password.

Twitter on its corporate blog stressed the incidents were small in scale, noting “There were 45 accounts accessed in a January incident and 10 that April for short periods of time... Within hours of the January breach, we closed the security hole and notified affected account holders. We posted a blog post about it on the same day. In the April incident, within less than 18 minutes of the hack we removed administrative access to the hacker and we quickly notified affected users.”

Twitter also noted that the company at the time employed less than 50 people and was the “victim of an attack.”

Still, the FTC alleged that Twitter was vulnerable to the attacks because it “failed to take reasonable steps to prevent unauthorized administrative control of its system.”

Under the terms of consent decree, Twitter will be barred for 20 years from misrepresenting “the extent to which [it] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.”

The company must also establish an information security program, which will be assessed by a third party every other year for 10 years.

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, director of the FTC’s Bureau of Consumer Protection in a statement. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.”

Twitter in its blog noted “We'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices.”

Twitter general counsel Alexander Macgillivray signed the complaint for the company. He was named general counsel in 2009, and served previously as deputy general counsel for products and intellectual property at Google, Inc.. Before that, he was a litigator at Wilson Sonsini Goodrich & Rosati.

To Reed Smith data privacy law specialist Paul Bond, who is based in Princeton, the complaint against Twitter is the FTC’s latest attempt to “codify laws and regulations that don’t otherwise exist on the books,” he said. “The FTC’s complaint did not point to any law that says ‘Thou shalt use strong passwords.’”

Instead, the FTC more broadly argued Twitter’s practices were false and deceiving and could have caused confusion.

Bond continued, “Without passing any law or regulation, the FTC is putting all American companies on notice that it expects password protection programs to be put in place.”